More data leaked when a filing cabinet is sold

June 29, 2014 |

The current focus on inadvertent data leaks is upon losing USB sticks and memory cards and the theft of  laptops. The Information Commissioner’s office reports that the loss of documents inadvertently left in a filing cabinet which was then sold to a member of the public is just as much a problem. In Prison service warned after Maze records sold at auction the ICO reports on the prison service of Northern Ireland selling a filing cabinet at auction. The person who purchased the filing cabinet found some very sensitive records regarding the inmate and prison officers. Given the reorganisation of the prison service, with the incident occurring under the watch of the predecessor, and that the incident predated the powers of the ICO to take stronger action the ICO issued a warning and the Department of Justice entered into an undertaking.

Recycling and selling old office equipment is not a new phenomanon.  There needs to be proper procedures to ensure that only what is intended to be sold ends up in the hands of the purchaser.  It shouldn’t be a problem if some basic protocols are followed.  The potential reputational and damages by way of penalty can be considerable if equipment containing significant amounts of data are released in breach of the legislation, in Australia the Privacy Act.  That is particularly the case with data stored in digital form, such as in the hard drive of desktops, laptops and faxes.

The ICO’s news release provides:

The prison service in Northern Ireland has been warned by the UK data protection regulator after a filing cabinet containing Maze Prison records was unwittingly sold at auction.

The incident occurred in 2004 when a cabinet that officials thought was empty was sold at a public auction. It in fact contained files about the closure of the prison, including the details of staff and a high profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the information but failed to report the matter to the Information Commissioner’s Office (ICO).

The ICO became aware of the breach when a similar incident occurred in 2012. By this time the Department of Justice Northern Ireland had taken responsibility for prisons across Northern Ireland.

The second incident – which also involved the loss of sensitive information left in an old cabinet sold at auction – resulted in the Department of Justice receiving a penalty of £185,000. The ICO was unable to issue a penalty for the 2004 breach as the incident occurred before the ICO had the power to issue monetary penalties.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said:

“This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.

“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.

“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”

Under today’s agreement the Department of Justice Northern Ireland must keep a record to ensure condemned equipment containing personal data has been emptied or erased before removal. They will also introduce annual refresher and induction training for all staff whose role involves the routine processing of personal data by September 2014.

The undertaking provides:

 I, Nick Perry, Permanent Secretary, of the Department of Justice, for and on behalf of the Department of Justice hereby acknowledge the details set out below and undertake to comply with the terms of the following Undertaking:

The Department of Justice, established on 12 April 2010, is the current data controller as defined in section 1(1) of the Data Protection Act 1998 (the ‘Act’), in respect of the processing of personal data carried out by the Department of Justice and is referred to in this Undertaking as the ‘data controller’. Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.

On 12 November 2012 the Information Commissioner’s Office was informed by e-mail by the data controller of a security breach which occurred in 2004 under the data controller’s predecessor, a previous public authority.

 In the email, the current data controller reported that a member of the public contacted the current data controller to explain that he had found documents which originated from within the service. The individual found the documents in a filing cabinet which he bought at an auction in 2004. The documents in the filing cabinet contained personal data relating to staff and inmates of the prison service. This included paperwork relating to a high profile inmate of the former Maze Prison, the closure of Maze Prison and the personal data of staff who worked at Maze Prison.

 The Commissioner has considered the compliance by the data controller’s predecessor with the provisions of the Act in the light of this matter. The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act. The Commissioner has also considered the fact that some of the data compromised in this incident consisted of information that is defined as ‘sensitive personal data’ under section 2 of the Act.

This Commissioner has taken account of the fact the filing cabinet was sold off by the data controller’s predecessor, a previous public authority nine years ago and, therefore, that the incident predates the introduction of his powers under sections 55A and 55B of the Act (introduced by the Criminal Justice and Immigration Act 2008 which came into force on 6 April 2010) to serve a Monetary Penalty Notice.

 The Commissioner recognises that the current data controller has undergone significant organisational reform since the incident occurred, however, in order safeguard against a further incident of this nature the current data controller must take additional steps to improve its asset management and data protection procedures. As such, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the current data controller undertakes as follows, without any acceptance of liability in respect of the breach:

 The current data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:

 1.   The record of condemned equipment is updated to include a section which confirms that any assets used to store personal data have been securely emptied or erased prior to removal;

2.   Induction and annual refresher training in the requirements of the Act shall be provided to all staff whose role involves the routine processing of personal data, by no later than September 2014;
3.   Attendance at training is recorded and monitored and any non-attendance followed up to ensure the schedule is adhered to;

4.   Signed acknowledgements are obtained from all staff,new and existing, which demonstrates they have read and understood all information governance and data protection policies and procedures. Signed acknowledgements are to be held centrally on HR records and updated in accordance with the introduction of new polices and policy updates;

 5.   The current data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against accidental loss.

What is interesting is the time lags involved.  The filing cabinet was purchased 10 or so years ago.  The undertaking states that the purchaser notified the prison service but “when” is given. The ICO was informed about 18 months ago.  The delay between being informed and entering into an undertaking is quite long.  Absent any particular reason justifying such a delay that is a failing of regulation.

One Response to “More data leaked when a filing cabinet is sold”

  1. More data leaked when a filing cabinet is sold | Australian Law Blogs

    […] More data leaked when a filing cabinet is sold […]

Leave a Reply